CVE-2022-42003 (https://github.com/FasterXML/jackson-databind/issues/3590): In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Patch: https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 CVE-2022-42004 (https://github.com/FasterXML/jackson-databind/issues/3582): In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. Patch: https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88 Seems we're waiting on 2.14.
vaukai, are both of these patches in 2.13.4.1?
(In reply to John Helmert III from comment #1) > vaukai, are both of these patches in 2.13.4.1? If I don't misread https://github.com/FasterXML/jackson-databind/issues/3590#issuecomment-1276691918 I'd say yes.
Indeed, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1702e89d38d5cb36e5e5f07fed89292cf2a603bc commit 1702e89d38d5cb36e5e5f07fed89292cf2a603bc Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-10-13 05:37:39 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-10-14 18:42:41 +0000 dev-java/jackson-databind: add 2.13.4.1, drop 2.13.4 Bug: https://bugs.gentoo.org/874033 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/jackson-databind/Manifest | 2 +- ...kson-databind-2.13.4.ebuild => jackson-databind-2.13.4.1.ebuild} | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Thanks! Please stabilize when ready
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c6207b924ced00516afb75774bb3432e8064d6b commit 8c6207b924ced00516afb75774bb3432e8064d6b Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-10-20 12:20:55 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-10-20 16:31:54 +0000 dev-java/jackson-databind: drop 2.13.3 Closes: https://bugs.gentoo.org/832693 Bug: https://bugs.gentoo.org/874033 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/jackson-databind/Manifest | 1 - .../jackson-databind-2.13.3.ebuild | 83 ---------------------- 2 files changed, 84 deletions(-)
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9fffe4ab96a075d745848223a2c479909aa5003f commit 9fffe4ab96a075d745848223a2c479909aa5003f Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:15:38 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:15 +0000 [ GLSA 202210-21 ] FasterXML jackson-databind: Multiple vulnerabilities Bug: https://bugs.gentoo.org/874033 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-21.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
GLSA released, all done!
